Cyber Resilience

CVE-2023-41061

HighCISA KEVActive ExploitationEUVD Exploited

Published: 07 September 2023

Published
07 September 2023
Modified
23 October 2025
KEV Added
11 September 2023
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0114 78.8th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-41061 is a high-severity Improper Input Validation (CWE-20) vulnerability in Apple Ipados. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 21.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A validation issue was addressed with improved logic in watchOS, iOS, and iPadOS. The flaw affects versions prior to watchOS 9.6.2, iOS 16.6.1, and iPadOS 16.6.1 and permits a maliciously crafted attachment to trigger arbitrary code execution. The issue carries a CVSS 3.1 base score of 7.8 with an attack vector that is local, requires low complexity and no privileges, but depends on user interaction with the attachment.

An attacker able to supply a crafted attachment can achieve code execution on the target device, resulting in full compromise of confidentiality, integrity, and availability. Because the vector is local and user-interaction dependent, exploitation typically involves delivering the attachment through messaging, email, or other channels that allow the victim to open or preview the file.

Apple security updates HT213905 and HT213907, along with the corresponding Full Disclosure postings, state that the vulnerability is resolved by installing watchOS 9.6.2, iOS 16.6.1, or iPadOS 16.6.1. The advisories further note that Apple is aware of reports indicating the issue may have been actively exploited in the wild. The associated EPSS values have remained low and essentially flat, with a current score of 0.0114 and a peak of 0.0115.

EU & UK References

Vulnerability details

A validation issue was addressed with improved logic. This issue is fixed in watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1. A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may…

more

have been actively exploited.

CWE(s)
KEV Date Added
11 September 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apple
ipados
≤ 16.6.1
apple
iphone os
≤ 16.6.1
apple
watchos
≤ 9.6.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the root cause (CWE-20 improper input validation) by enforcing validation of untrusted attachment data before processing.

prevent

Requires timely application of the vendor patches (iOS 16.6.1 / watchOS 9.6.2) that remediate the validation flaw.

preventdetect

Malicious-code protections can block or alert on the arbitrary code introduced by the crafted attachment.

References